Overview
BlackSuit, formerly known as Royal, is a prolific ransomware group that emerged in early 2022. Initially utilizing third-party ransomware like BlackCat and custom Zeon variants, the group transitioned to its own custom ransomware in September 2022. Suspected to be composed of former Conti ransomware members (“Team One”), BlackSuit exhibits a high level of sophistication and operational experience, leveraging advanced techniques to evade detection and maximize extortion. They are known for targeting a wide range of organizations globally, including critical infrastructure sectors like healthcare and manufacturing, and employing double extortion tactics. Their operations are characterized by a unique approach to partial encryption, multi-threaded ransomware deployment, and a willingness to engage in direct negotiations with victims.
Known Aliases of BlackSuit Ransomware
- Royal
- Team One (allegedly, based on suspected former Conti affiliation)
Country of Origin of BlackSuit Ransomware
No definite country of origin. However, a significant portion of their victims are located in the United States, suggesting potential ties or operational focus on North America.
Most Recent Attacks Involving BlackSuit Ransomware
- Silverstone Circuit (November 2022): A popular UK motor racing circuit was targeted by the Royal ransomware gang (Note: While not BlackSuit, this highlights the broader activity of ransomware groups evolving from the same origins as BlackSuit). The attack was confirmed by Silverstone Circuit officials.
- CDK Global (June 2024): Massive disruption to automotive industry, widespread outages.
- Connexure (April 2024): Data breach exposing 954,177 individuals’ sensitive information.
- Dallas County, TX (October 2023): The City of Dallas suffered a Royal ransomware attack in May 2023, compromising police communications and stealing over 1 TB of data.
- KADOKAWA (June 2024): Compromise of the Japanese media conglomerate, resulting in the theft of confidential files, contacts, business plans, financial details, and employee data. BlackSuit threatened to leak this data if a ransom wasn’t paid. The attack caused significant disruption to KADOKAWA’s operations, including its Niconico video-sharing platform.
- Numerous other organizations globally: The group’s leak site claimed responsibility for impacting 157 organizations.
BlackSuit Ransomware MITRE ATT&CK Tactics and Techniques
BlackSuit’s activities map to the following MITRE ATT&CK tactics and techniques:
| Tactic | Technique ID | Technique Name | Description |
|---|---|---|---|
| Initial Access | T1021.001 | Remote Services: RDP | Exploiting vulnerable Remote Desktop Protocol (RDP) accounts for initial access. |
| T1133 | External Remote Services | Using compromised or vulnerable Remote Monitoring and Management (RMM) software to gain initial access. | |
| T1190 | Exploit Public-Facing Application | Exploiting vulnerabilities in publicly accessible applications to gain initial access. | |
| T1566 | Phishing | Using phishing emails (with malicious attachments or links) to deliver malware. | |
| T1566.001 | Phishing: Spearphishing Attachment | Delivering malware via malicious attachments in phishing emails (e.g., malicious PDFs). | |
| T1566.002 | Phishing: Spearphishing Link | Delivering malware via malicious links in phishing emails or on websites. | |
| T1650 | Acquire Access | Potentially using initial access brokers to obtain access to victim networks. | |
| Execution | T1059 | Command and Scripting Interpreter | Using command-line interpreters (e.g., PowerShell, cmd.exe) to execute malicious commands. |
| Persistence | T1133 | External Remote Services | Using legitimate RMM tools to maintain persistence on compromised systems. |
| Privilege Escalation | T1078 | Valid Accounts | Using valid (legitimate) accounts with elevated privileges (e.g., domain admin) to move laterally and escalate privileges. |
| T1078.002 | Valid Accounts: Domain Accounts | Creating new administrator accounts to maintain persistence and elevated privileges. | |
| Defense Evasion | T1021.001 | Remote Services: RDP | Using RDP for lateral movement to evade detection. |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | Deleting event logs to hinder forensic analysis. | |
| T1119 | Automated Collection | Using registry keys for automated file collection and execution. | |
| T1484.001 | Domain Policy Modification: Group Policy Modification | Modifying Group Policy Objects to disable security software. | |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Disabling or modifying security tools (e.g., antivirus) to evade detection. | |
| (Inferred) | Partial File Encryption | Encrypting only a portion of files to evade detection. | |
| Credential Access | (Inferred) | Various credential harvesting tools | Using tools like Mimikatz and Nirsoft utilities to steal credentials. |
| Discovery | T1083 | File and Directory Discovery | Enumerating files and directories on the compromised system. |
| T1016 | System Network Configuration Discovery | Discovering network configurations to identify potential targets. | |
| T1046 | Network Service Discovery | Discovering network services to identify potential targets. | |
| T1057 | Process Discovery | Discovering running processes to identify potential targets or evade detection. | |
| T1082 | System Information Discovery | Gathering system information for reconnaissance. | |
| T1135 | Network Share Discovery | Discovering network shares to identify potential targets. | |
| Lateral Movement | T1021.001 | Remote Services: RDP | Using RDP for lateral movement within the network. |
| Command and Control | T1105 | Ingress Tool Transfer | Downloading additional tools from C2 servers. |
| T1572 | Protocol Tunneling | Using tunneling tools (e.g., Chisel) to communicate with C2 servers. | |
| Exfiltration | (Inferred) | Various data exfiltration tools | Using tools like Rclone, Cobalt Strike, and potentially Brute Ratel to exfiltrate stolen data. |
| Impact | T1486 | Data Encrypted for Impact | Encrypting data to disrupt operations. |
| T1489 | Service Stop | Stopping services to hinder recovery efforts. | |
| T1490 | Inhibit System Recovery | Deleting shadow copies to prevent data recovery. |
Methods of Attack/Infiltration Used by BlackSuit Ransomware
BlackSuit employs multiple initial access vectors, including:
- Phishing: Highly prevalent, using malicious PDF attachments and malvertising links.
- Exploitation of vulnerable public-facing applications: The FBI observed this as a vector.
- Compromised RDP accounts: A common secondary access vector.
- Initial Access Brokers (IABs): Potentially leveraged to gain access and harvest VPN credentials.
Malware/Ransomware Strain(s) Used by BlackSuit Ransomware
BlackSuit’s arsenal extends beyond their namesake ransomware. They strategically employ a range of malware and tools to facilitate their attacks, maximizing their chances of success and minimizing detection. The following details their known malware and tool usage:
- BlackSuit (Royal) Ransomware: This is their primary payload, a sophisticated ransomware variant with several key characteristics:
- Partial Encryption: A unique feature allowing the attackers to encrypt only a percentage of each file, making detection more challenging for security solutions. This percentage can be controlled by command-line arguments, offering flexibility in their attacks.
- Multi-Threaded Encryption: Utilizing multiple threads to significantly speed up the encryption process, increasing the impact of the attack and reducing the window of opportunity for detection and response.
- Double Extortion: The group engages in double extortion, exfiltrating data before encryption and threatening to publicly release it if the ransom isn’t paid. This significantly increases the pressure on victims to comply.
- RSA-4096 and AES-256 Encryption: Employing strong encryption algorithms to protect the encrypted data and the encryption keys. The RSA key is often embedded in plain text within the binary, which while seemingly unusual, may be a calculated risk to reduce the complexity of the malware.
- Cross-Platform Capability: BlackSuit ransomware has been observed in both Windows and Linux variants, expanding their potential targets. The Linux variant is remarkably similar to the Windows version, lacking obfuscation and storing strings in plaintext.
- Threat Loaders: BlackSuit often uses threat loaders to deliver their primary payload, obscuring the final ransomware and increasing the likelihood of successful infection. Known loaders include:
- BATLOADER: A prevalent threat loader known for its ability to deliver various malware payloads.
- Qbot (Qakbot): Another widely used threat loader capable of delivering a variety of malware, including ransomware.
- Post-Exploitation Frameworks: Once initial access is gained, BlackSuit utilizes post-exploitation frameworks to maintain persistence, move laterally within the network, and exfiltrate data. A key tool in their arsenal is:
- Cobalt Strike: A widely used penetration testing framework frequently abused by ransomware operators. BlackSuit uses it for command and control (C2), lateral movement, and data exfiltration. They have been observed using unique watermarks in their Cobalt Strike configurations, possibly indicating the use of cracked versions.
- Information Stealers: Before deploying the ransomware, BlackSuit often uses information stealers to gather sensitive data. Examples include:
- Vidar Stealer: A well-known information stealer capable of capturing various types of data, including credentials, cookies, and files.
- Ursnif/ISFB: Another information stealer known for its ability to steal banking information and other sensitive data.
- Redline Stealer: A data stealer capable of capturing a wide range of sensitive information.
- Other Supporting Tools: BlackSuit employs various other tools to aid in their attacks, including:
- Rclone: A legitimate file synchronization tool abused for data exfiltration.
- Chisel: A TCP/UDP tunneling tool used to establish covert communication channels.
- Mimikatz: A powerful credential-dumping tool used to steal passwords and other credentials.
- Nirsoft Utilities: A collection of legitimate system utilities that can be misused for credential harvesting and other malicious activities.
- PsExec: A Sysinternals utility used for remote command execution, facilitating lateral movement.
- PowerTool: A kernel-level tool used for disabling endpoint security software.
- NetScan: A network discovery tool used to map the network and identify potential targets.
- SystemBC and Gootloader: Malware used to maintain persistence and load additional tools.
- Brute Ratel: A post-exploitation tool used for lateral movement and data exfiltration.
